sendmail 8.12.8 available

From: Claus Assmann (ca+bugtraqat_private)
Date: Mon Mar 03 2003 - 09:08:09 PST

  • Next message: Florian Effenberger: "Cobalt RaQ server appliances" 

    -----BEGIN PGP SIGNED MESSAGE-----

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.8.  It contains a fix for a critical security
problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
for bringing this problem to our attention.  Sendmail urges all users to
either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
is part of this announcement.  Patches for older versions can be
downloaded from ftp.sendmail.org, see http://www.sendmail.org/ for
details.  Remember to check the PGP signatures of patches or releases
obtained.  For those not running the open source version, check
with your vendor for a patch.  There is a bug fix for ident parsing
in 8.12.8.  While this is not believed to be exploitable, if you
are not upgrading to 8.12.8, you may want to turn off ident checking
by adding this to your .mc file:

define(`confTO_IDENT', `0s')


For a complete list of changes see the release notes down below.

Please send bug reports to sendmail-bugsat_private as usual.

Note: We have changed the way we digitally sign the source code
distributions to simplify verification: in contrast to earlier
versions two .sig files are provided, one each for the gzip'ed
version and the compressed version. That is, instead of signing the
tar file, we sign the compressed/gzip'ed files, so you do not need
to uncompress the file before checking the signature.

This version can be found at

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig

and the usual mirror sites.

MD5 signatures:

71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz
2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig
b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z
b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig

You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
.sig file.  The PGP signature was created using the Sendmail Signing
Key/2003, available on the web site (http://www.sendmail.org/) or
on the public key servers.

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

   PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
   SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
   TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
   PARTS OF THE WORLD.  SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
   COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
   SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
   YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
   AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
   ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

			SENDMAIL RELEASE NOTES
      $Id: RELEASE_NOTES,v 8.1340.2.113 2003/02/11 19:17:41 gshapiro Exp $


This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.

8.12.8/8.12.8	2003/02/11
	SECURITY: Fix a remote buffer overflow in header parsing by
		dropping sender and recipient header comments if the
		comments are too long.  Problem noted by Mark Dowd
		of ISS X-Force.
	Fix a potential non-exploitable buffer overflow in parsing the
		.cf queue settings and potential buffer underflow in
		parsing ident responses.  Problem noted by Yichen Xie of
		Stanford University Compilation Group.
	Fix ETRN #queuegroup command: actually start a queue run for
		the selected queue group.  Problem noted by Jos Vos.
	If MaxMimeHeaderLength is set and a malformed MIME header is fixed,
		log the fixup as "Fixed MIME header" instead of "Truncated
		MIME header".  Problem noted by Ian J Hart.
	CONFIG: Fix regression bug in proto.m4 that caused a bogus
		error message: "FEATURE() should be before MAILER()".
	MAIL.LOCAL: Be more explicit in some error cases, i.e., whether
		a mailbox has more than one link or whether it is not
		a regular file.  Patch from John Beck of Sun Microsystems.


Instructions to extract and apply patch for sendmail 8.12:

The data below is a uuencoded, gzip'ed tar file.  Store the data
between "========= begin patch ========" and "========= end patch
==========" into a file called "patch.sm" and apply the following
command:

uudecode -p < patch.sm | gunzip -c | tar -xf -

This will give you two files:

sendmail.8.12.security.cr.patch
sendmail.8.12.security.cr.patch.sig

Check the integrity of the patch file using PGP or GPG, e.g.,

gpg --verify sendmail.8.12.security.cr.patch.sig sendmail.8.12.security.cr.patch

Then apply the patch to the sendmail source code:

cd sendmail-8.12.7
patch -p0 < sendmail.8.12.security.cr.patch

recompile sendmail, and install the new binary.

========= begin patch ========
begin 644 sendmail.8.12.security.cr.patch.tar.gz
M'XL("+5P,3X"`W-E;F1M86EL+C@N,3(N<V5C=7)I='DN8W(N<&%T8V@N=&%R
M`.T:2VPD1]71"H4V@@N72!%1V1OMS'AZ9KM[/AZ/U\X.MI==M+8W7B>*M&O-
MMGMJ9CH[T]W;W>-/-LL%A!0D)"!!Y(C@`$B`%(E+($)(X<*)7(`3![APA0.1
MD!#AO?KT9S[>#9!%@BY9GJZJ]ZI?O?^KKH`ZG:%I#\J-LFZ4`VJ-?#L\+5M^
MV3-#JS_WGVBZIM6K53)'B*'I-?R%IHE?8E2-2I60Y;I>->K+1D4G1*]6Z]H<
MT>8>0QL%H>D3,F>99\,=]RD=S/W/M5*I1`*A`Q?[U.Q0/RA;BEXAGS<=D)=6
M(?I*LZ(UC08I:="41MFHU\O5<F6^6"Q.Q:W'N$:E6=&;^C+'G;]\F93JRW6U
M08K\Y_+E>:(HBMTE^<-1]Y9V0!;62.ZVEBNP\?OL/Y^VPX"&^:OM*WN[VRKI
ME];[[>[`[`6%PGP)@11ZXIE.)V_YIG77['1\7+&@$OBODL!^A;I=]BR@N?(1
M6EB=+\Y$5V%>%?,"87PYM@*CDI%T9`Y&E*R18-CV/=<=M(/0[XR\]DF>EM8I
M'V,TI;#81LB%-?*%J^W-K2NM%Z[O\^D'C&4K*PUUF13Q1]<9SY:6%#LD0"_Q
MJ3<P+1H0Z!_;89\L/MM;+!.RWZ?$,_V`$CL@H1N:@\$I,3ND[UH,'7'MP,F%
MA!Y1A_1&IF\Z(:4=`"8#:AY1$KA#&O9MIT>"4R<TK="V<!7^]@YU6!_!C_MF
MB.]'4PIA!:0#2+CJ'L/:OHI3'1=(9,O.EP`]L30=FHY8F42KEN>+CP!%0#$\
M-PCLPP$%00Q@LT`(O"4(.7Z2;&*YOD^MD"W-IJ^X/J$GYM!#;*#1ZIM.#\A<
MW*.P]HXYI.22#X^7!5#9<H?K)+_A#H=`0&&1+0+;3\(_VTM"E)%7C%_[?1"#
M.>BYX%[[0](W`W)(@>\64.L`RT8>,A((Z`Q@$\!!,";B(ST,'93-,@.@#<S5
M`6$>PG[NC5QD-@KR$'0V&)A!G]#`,CT8!;4#O@5EIC_@@)?5.BGJFJZ#(G$%
M8NO>`*D#C\%PFZROH.;C2T)0'WRF`6H/T$J88=`.EXQ")1`$#!_V2JAS1`>N
M1^,M[]%PY#O1PB`I&Q3,Q^40T:''!+0CL%U'4JFOJ.!F@$RCJM8TJ>@*OMSU
M;-@5R!OD9$N2?#H*D"*R='&>S!?/=VC7=BBYN=V^VGIQJ[VWN[NM*/G\H4<N
MH<D-[&&!7+C`7`T\DTMK.`H.#%Q(<;YXD6D%(2W/@S$0`N@#[%F0#(O`VX\I
MR`A,PW?=89F#7^NB1%3BC1QID;AO\FP/`2[BR@G"6C=N;.ULMC>NMO;R5H$Y
MEMO@8#JNHD2=^XEGYON2&RI$,\K2H0<>>(W`0JO1*%I!`EWIN4`\)ZD703T`
MD[5!T?(:V_EY>,EVZZ6=UO86<$K7YHM;>WN[>]'8$((D\EL:%P,Y#TP"O(M+
M*53"=LQ81Y;F2[$WQ7_PLO0`>D_P<S[MV0'RF:/A#'KEK9T7MZ[OWM@B2Q2\
MX?U)0&]U8LQ:!?\.>D:L83B@1[*'9IP>`=,:4.BK;$[V(FS7.TUT#Y%JT3\$
M#T[N#=T.C7JX0GHDN&M['AA@-."-PM[0M$!:71,D%"^$1@PZ/3X.8F,T39NP
MW('KQ!/%Y'Y!P"`1BSL@D!88);$=^`,"A%-@(AKGR@P\=Q1.0XS8Q=$XI0]Y
MF60I1]'(VAK""A^CDG6-0:10(K9S'-:EDKHN>.]K-X[J;`D0/K7N<DS&)AAD
M5`E4),@:N`$NSZF--Q<C<1ER#!0,0B.<;_=L!UP\W])S"8Q8\I-82=8E<<95
M@;-P`$MU3LFQ#_H`OB-)U9B*,'A'1&HV";V3,.&N8MP)-6+(77<$?JIK^V#*
MN4NY-'Q:NQ+P)LDU&>R$'1XR0Q3/S+>F^I@:Q@,H+CY2C$'`ER`$)!`0K?FJ
MF`]*SU(D^@',`P2ZPW"_DZ]45**#W^:!HU93C1H&CH:A&@;/*M$WFYV7P74!
MIP8F4LL=.+CB#D8@<.``Q2*'(B*"#`CP<`'?S_,\EDB2$J=!@4#`P'`/_(G9
MIEP@@8=S@+;,T!!+;ET\(IZP"AP1-@6/28\$76ZB8CSJ:(R!T]!GP@/QPJ)X
MOZ0PW160\CER*],FI5W%<"@5$4WRJ-1+$)0*R32>)?$07"'O%O$2PS_PIHLB
M"8@+64!W!%EQSP6[`9TV2>!1RP:#6Y1^=%%B,S)"S#?!KBA+!.Y2ZH%/Z*&!
M8L)W`FOSA!.S6["($<M:Q0+"+%E:">E1D8_N^Z?3EQHQEQ%`)AV1#!V+2L0\
M%#\`:&,.=W@JLPS4+*Y:\%:Y!U06CZRO$6DB)9Q%A9927`>W"/G)@L3@E8T,
M\]:JS`<2\`46Y"<2"RX6YM*98T1G.9XD!MR6^8KHCG.W;^>D134:6*3INF[$
M59KBE4JB:F%9!3HR6::4E$?9RMA>IF]FZFXFWOD`=LA)75GFI!JZJE<%K?&>
M%G-(A[`"R/@T5EGRPE(J]4(4O!^VB>)TB%2"QH#N\ZT@;&0^8GO"5R`O61\S
MMM1,L2BXG#2\A422460L1Q#+A4K(&5')$OY&\3;&'EW75!U]HUYE#T*6G"'L
M3:S/0M#`/>;:S?1%QDO4?0=U1;)G"C_2#$B4[O%>HQTE7JVDV0FJ$4DH6H%7
M_QYZ%.%U9<$?:5..Y%;%V)B"36H3P$8E_PQ%$[Q]P'G*N6BP"ES7:PU10,4$
M\OU$6Q1[P7Y)F<ZQ&2R+=AQS*5HUH1J<H,H*)ZB^$A'$"N!8\PNYA*J#?(5'
MH[[O^DTR<H9XP`=NJY"4[;^I^ESFTD]$-JK7ECFUC65!K2"*_:`?W8C<U.;6
MA@-)G@<E,B777B1W[C2;N1S)]]T@;#:AX/.%6T1G#MD#_*10&$89,/A^:2`.
M0R`%@!R`%TX<]<.@23HMC%8!P"(AEV&%9CDT3\O#4R0/L*$`C&#OW!F;Y^0G
MW@&*/:`@!1XP,&)P=M7K*I12P*\5]I#6-R:$V)\Q,0F+YZH2)XRA/Z()-3Q;
MN)/>6"CEA&6E![`,FVE/4R>6O+2E*5[D#1).GK.BH:E5'5AA@!^K5B0KDDG8
M:G2$*#8N'5`JXD`@6)T:7F!"ADM>94"8Q.,8%#3+5##KQ;K>=$ZY=Y2!4U%*
M)4]P0V1`=F`&EFWGEV"&G378`4/!+0LN"TC(!'CE<N$"'Q?GBV>OP`6<\OH)
M[G%NHA'E[R72S55R#VIS;Y6D/#/+U>XA:BGA9:.#DE@EI#IA&!4A=4PU9D*-
M^VE(,&8ZZG&Q8#+R<$<]'D%G0#Z8I2,DL?<UGKTCRV[I!Y+9AW'6P]Z3)C]6
MJQEZE1#Y6'K<E`Q*LC$E@C'V2<M[,#67FFU^LWD2A7Y0[=`W[0'&>Z`62DJ>
M!T!Z#N$_)%#,]'QWY#5EK!C7]PE=Q>[D9F*?@8I7?)2%4OG4-$=2C&P@F1?)
MNDCCFXV+[HD3%\*CJZSG/.%Y#*/"G;`!U:4,L8)G<9!=Y>FE>%WDCS>PB-Z]
M>\UIL6.ODA3R=!&G!?S@T5/ZJ.0/>$TT-$_Y^20_'Q4GQ'&:'X2^U??SVU`4
M/X]S&X`?J,1B"KGSPO7K(FDT:E6U:N#>&Q6U6DM&;.*Z'CN&EN_AI^905_ED
MB)6U\(V)>E1?G98ZEF2FDX:<GE&.I=0+L@R=D5(GJE0>`HL)?7^LL>-2%CO^
MGV+'XX@;E_[[<>-#>ECF4RH:U.<5\"F52B4NU!GQD0>(LD[!7#GQKQ53)67<
MQ43K),JI8L3#<:<R`33E\"M9+I:41`TV1F4T/K-2/J-"6X^<QD2*SEFKUUEY
M5:G&Q>"XI<=:/%YL3U6*&;(?/V\0[S>J:@5#907JO*HX?T5]:$;!<CQ`"FT1
M%6HB-*Y'9ZLL@;A5T@^B:K8TM>B7`]NMC;W=K9=NM'8VTQ.Y7BZ.*_(54Y8O
MGGE<,#:1>-MT`'AK8=PR>#`21S4\'H'8?>J9ML]CA/QB33KFT(2PRM*MB5.D
MU$`RT\*/F>SL,>EF2M*1),\5Y'G;C*DS%RV,+QK;EUPV:4]GKK7.UHJ]O,9D
MM<2"M.PE'1Q;H"@*Q6!D04@-5O$CIOS(V8198.I-_ODI=%T"J5A/?)_E7SKX
M31/F2E=%']4@K4%\W#B(]`>[E0-),^]7#V(J@V$[.`T&;B]_??=S[=;UK;U]
ME;!;'W:'72(A9''3=SW\/&\[1^;`[L@/;@'I^NZ0\#LT\IO8(DLMBG*3S2E?
M/\3A.KRYX\%VPVY^,?K`NK9^9Y$KX`DH8)"/[IPDH7.W'0X$WHM]UV&?KMDW
M#0+ZB:?VR0M">-A=MI1&ZH*/MM*LK427@QJ-Y;)1UI?3MX,$(KC]"%,SFI5&
ML]9(7`VJ5B'G!D<F?J4C$_G-X@L!6$237.376@27Y`:8IT?JDR?2F,G$7YQE
ML3`V&E_AR1^Y=J>`=W=LM]T5/`J&MNN.0A5/NO:O;6_)"SJJ(([3ML%O1T1W
M)M:()(MS_Q[T4JQDFT!H8(M1)S>IAVPQ&$,KS4K,T$IM!1@Z=MLJB?T0IAHU
MC1T5BE_&U,2%JKTK[8W6SN[.M8W6=97P&U7DU5<)3#LXO]W>V=W8W=[>V@%M
M'I;6A]&M*]A<UW2L4]SK;4/3>XNX89GKR*F8T8XY%+>MIL\).3"?*+[?[:,V
MLLLB>+F&?1RR3,=UV.4?R%6'Y313Y4.YK^@&V:26X*G1K-:;E5K$TQ4=>:K7
MTDQ-8I_-T\I*%5G*?WAQA)])1PZX;M?A.3X]@;K,(:A2BF6&+%]OMV]`-L<^
M>BZI9.Q!Q0VR?P54%H&/<\I2Q*GD$@A6?#B82N*+%(@B*<,/O@H=>N%IC-':
MW-S;NGDS#2@&E:4>#:UP\!!HH%^Q'6LP@LB4HN*077V+<!*/<NMI.N?GLO:1
MM^#L^[_EP.Y]Q/=_811RQ_3]WYI>7\[N_SZ.]MK<-\]];&Y=>^^K"U_\PULK
M[I.O/?'$<V^>^^#YN7=N/7UIY\WOM]8W[S0.WOO@2FE^]<]_?^-77UIXI_[#
MI_/?^.3[9N]GHZ^]]=-O_^*OI;4GM7/??>H?OPO7/O7ZI]6O')Q^YWN_N?+\
MC]_[??'-I\J?_?C;VLB[_\3)C_RO?_DS=W_PP2=>>>KMMW_YUC,_#]]9^5.K
M_Y=GWO\C>4,_]^ZOO_7Z^9\X[_[V]@__]G)FF5G+6M:REK6L92UK6<M:UK*6
GM:QE+6M9RUK6LI:UK&4M:UG+6M:REK6L92UKC];^"?7L4,L`4```
`
end
========= end patch ==========
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iQCVAwUBPklPeCGD4bE5bweJAQFhywP+Kn+5RdwephTcApFNsSOWfTjKxP9wv6rE
z0XPVd1ihfdByrXE1Fr8ML9uZm6fhg4vtOfJIXzsO4j0fiAWwyqwq8Mu5YAJVKOi
k/5ncMtvDZI9aRHEGEIRXapOTg/Ui5W5E3Wpep0IYCRf5wkXPqYS6ppVa5urMqKH
x/1/OqBPUCc=
=G4ha
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 10:21:19 PST